Summary and recommendation
Ramp user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Ramp is a corporate card and spend management platform with a role-based access model built around five fixed roles: Owner, Admin, Bookkeeper, Manager, and Employee.
There are no custom roles or per-permission granularity - every app user lands in one of these predefined buckets. SCIM provisioning is included on all plans, including Free, with full support for Okta, Azure AD (Entra ID), and Rippling.
Quick facts
| Admin console path | Settings > Team > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Free (SCIM included) |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner | Full administrative access including billing, bank account management, and all admin capabilities. Only one Owner per account. | Cannot be deactivated while still the sole Owner; ownership must be transferred first. | $0 (Free plan) or $15/user/mo (Plus plan) | There can only be one Owner at a time; transferring ownership requires explicit reassignment. | |
| Admin | Can manage users, cards, limits, reimbursements, and most settings. Cannot manage bank accounts or billing. | Cannot access billing settings or transfer ownership. | $0 (Free plan) or $15/user/mo (Plus plan) | ||
| Bookkeeper | Read-only access to transactions, receipts, and accounting exports. Can manage accounting integrations. | Cannot issue cards, approve requests, or manage users. | $0 (Free plan) or $15/user/mo (Plus plan) | Bookkeeper role is intended for external accountants; does not consume a cardholder seat in the same way. | |
| Manager | Can approve spend requests and view transactions for direct reports. Can set limits for their team. | Cannot manage company-wide settings, users outside their team, or accounting integrations. | $0 (Free plan) or $15/user/mo (Plus plan) | Manager permissions are scoped to their direct report hierarchy only. | |
| Employee | Can submit reimbursements, view own card and transactions, upload receipts. | Cannot view other users' transactions, manage cards for others, or access admin settings. | $0 (Free plan) or $15/user/mo (Plus plan) |
Permission model
- Model type: role-based
- Description: Ramp uses a fixed set of predefined roles (Owner, Admin, Bookkeeper, Manager, Employee). Roles are assigned per user and determine access scope. There is no documented support for fully custom roles or granular permission sets beyond the predefined options.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level only; no documented per-permission granularity within roles.
How to add users
- Navigate to Settings > Team > Users in the Ramp admin console.
- Click 'Invite user' or 'Add user'.
- Enter the user's first name, last name, and work email address.
- Select the user's role (Employee, Manager, Admin, Bookkeeper, or Owner).
- Optionally assign a manager, department, and location.
- Click 'Send invite'. The user receives an email invitation to activate their account.
Required fields: First name, Last name, Work email address, Role
Watch out for:
- Users must accept the email invitation before they can access Ramp; pending invites can be resent from the Users list.
- If SCIM provisioning is active, manually invited users may conflict with directory-synced users if the same email exists in the IdP.
- Assigning a physical or virtual card is a separate step after the user is created.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Settings > Team > Users > Import users (CSV upload option) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Free (SCIM included on all plans) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Ramp does not permanently delete user accounts. Users are deactivated, which suspends their access and cancels associated cards. Historical transaction data tied to the user is retained for audit and accounting purposes.
- Navigate to Settings > Team > Users.
- Locate the user and click on their name to open their profile.
- Click the 'Deactivate' option (may appear under a menu or action button).
- Confirm the deactivation. Any active cards assigned to the user will be cancelled automatically.
| Data impact | Behavior |
|---|---|
| Owned records | Transaction history, receipts, and reimbursement records associated with the user are retained and remain visible to admins. |
| Shared content | Memos and receipts attached to transactions remain accessible to admins after deactivation. |
| Integrations | SCIM-based deprovisioning via Okta, Azure AD, or Rippling will trigger deactivation automatically when the user is removed from the IdP. |
| License freed | Deactivating a user removes them from the active user count, which may reduce the billable seat count on paid plans. |
Watch out for:
- All physical and virtual cards assigned to the user are cancelled upon deactivation; any recurring charges on those cards will fail.
- If the user is the sole Owner, ownership must be transferred before deactivation is possible.
- Deactivated users cannot be reactivated by simply re-inviting the same email if SCIM is in use; the reactivation must be initiated from the IdP.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Free plan user | Core spend management, corporate cards, reimbursements, basic integrations | $0 |
| Plus plan user | Everything in Free plus advanced controls, custom fields, and additional integrations | $15/user/month (billed monthly) or ~$12/user/month (billed annually, ~20% savings) |
| Enterprise plan user | Custom pricing; includes advanced ERP integrations, dedicated support, and enterprise controls | Custom |
- Where to check usage: Settings > Team > Users (shows active user count and status)
- How to identify unused seats: Filter the Users list by 'Last active' date or look for users with no card activity. Ramp does not have a documented built-in 'inactive user' report, but admins can sort/filter the user list.
- Billing notes: Ramp bills per active user on paid plans. Deactivating a user should remove them from the billable count. SCIM is included on all plans including Free. Annual billing for Plus saves approximately 20% versus monthly.
The cost of manual management
Without automated provisioning, every app in your stack that touches employee spend data requires a manual touchpoint when someone joins, changes roles, or leaves. In Ramp specifically, deactivation must be done before offboarding is complete - and if you miss it, active cards remain live.
The Owner role adds a hard constraint: there is only one Owner at a time, and deactivation is blocked until ownership is explicitly transferred.
The decision
Use SCIM if your IdP is Okta, Azure AD, or Rippling - it's included on the Free plan and covers the full provisioning lifecycle. If your IdP is Google Workspace, note that Google SSO is supported but SCIM provisioning is not; you'll need a manual or API-based workflow instead.
For orgs that need role assignments beyond CARDHOLDER at provisioning time, SCIM alone is insufficient - Okta group push maps to Ramp Departments, not Roles, so admin-level role assignments still require a manual step in Ramp after provisioning.
Bottom line
Ramp's provisioning story is strong for the three supported IdPs (Okta, Azure AD, Rippling) and the price is right - SCIM is free on every plan.
The gaps are predictable: no custom roles, no Google SCIM, and a deactivation model that requires coordination around active cards and the single-Owner constraint.
Teams running a supported IdP can automate the full user lifecycle; everyone else is patching with manual steps or the REST API.
Automate Ramp workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
